Funny/stupid anecdote: a bunch of my kids' friends have the same phone unlock PIN as me because I set my son's new phone PIN the same as mine so he would also be able to unlock my phone if necessary.
When his friends started getting phones as well, they copied his. This has migrated through some of the friends' siblings as well.
One of my kids friends uses the same pin as I had when he was a kid. I would give him and my kid my debit card and they would go get pizza if they cleaned my office.
For serious though - one reason such utterly trivial codes are common are because the "lock" is just use as a fancy way of preventing the zipper from coming undone.
Likewise, on the internet, a lot of things prompt for passwords that really don't need them. People create throwaway accounts and use them as if they were temporary anonymous sessions.
Trust me, for the luggage this is a brilliant combination. Or something like 0000. Unless I work for a 3-letter institute, I leave all luggage to their default or the usual. If someone steals a luggage, that PIN is least of the problem but everyone else in the household will if you forgot your super-smart PIN.
I have a pin lock on a shared device, that friends use occassionally. Of the three friends I have given guest access to, all three asked for their pin to be 1234, to which I said no. One had the audacity to follow up with 123456
I moved to Switzerland, and, well, PIN codes for credit cards are 6 digits here by default.
And now I'm asking myself why noone else does this. I don't see hordes of Swiss people complaining about being unable to remember a 6-digit PIN at least.
One of my credit unions gives out (randomized) five digit pins (although they say if you use an atm that only accepts four digit pins, the first four is enough). My other credit union only does four digits.
I think remembering one 6-digit PIN would be fine, but in the US, it's common to have many banking relationships. If I needed a pin for every credit card, I'd have to write them on the cards or set them all the same.
Not sure how this is handled in Switzerland, and I don't have good data on this, but I'd say a lot of people in Europe have at least a debit and a credit card with a PIN each.
Also nothing says you can't use the same PIN for multiple cards; they're essentially the same security domain anyway ("a piece of plastic in your wallet") — most people don't have "more" and "less" trustworthy cards…
> Also nothing says you can't use the same PIN for multiple cards; they're essentially the same security domain anyway ("a piece of plastic in your wallet") — most people don't have "more" and "less" trustworthy cards…
Why not have the same password for all your banking accounts then? But everyone says not to reuse passwords.
If someone takes your wallet, it'd be nice if they don't drain all the accounts based on figuring out the pin of one card?
Because in most cases you already use your card interchangeably across a wide variety of (hopefully sealed and certified) terminal devices.
Meanwhile your password is very specific to one website, and never entering it elsewhere is key to phising prevention.
(my "security domain" comment was probably worded a bit poorly with the reference to your wallet, the relevant point is that most people consider card terminals interchangeable.)
no, some cards you choose the PIN from the start and never get a randomized PIN
some banks some place in the world might make it a policy not to set PINs but to force random, you can't definitively say what you are saying, rather we can only go by what he said.
> One of my credit unions gives out (randomized) five digit pins (although they say if you use an atm that only accepts four digit pins, the first four is enough).
That said, guessing the PIN isn't the only attack; longer PINs also means that you have to "spy" more digits, which can be significant if the "spying" method is not 100% reliable.
But yeah. I guess it doesn't matter as long as you have a lockout mechanism.
You’ll need to be sure that all the places your cards will go accept the 6 digit pin. Granted this was 20 years ago, but we were in Europe and couldn’t use my wife’s ATM card because she had a 6 digit PIN and all the ATMs were encountered only allowed 4 digits.
Sounds like it may be the reverse with Europe going the 6 digit route, but I think 4 digits is still pretty universal — I think most interfaces provide a enter key to terminate the PIN?
The very first ATM card I ever got, in the mid 80s in Texas, had a 6 digit PIN. When I got to choose it, it let me put 4 to 6 digits so I chose 6. A few years later they sent me my first debit card with a note that it had the same PIN. It did not. It had been truncated to 4 digits. Which made me unhappy because clearly it was sitting in plaintext in a database somewhere.
Even with a 6 digit pin why care it was stored? If someone has access to the bank's infrastructure and the pins aren't there they might as well be even with computers from the 80s.
With how small the space of PINs are, is there any point in hashing? To make brute-forcing every PIN infeasible you'd have to make the hash difficulty time intolerably long.
I love DataGenetics, lots of interesting puzzles like that on there. There's a very unique style to all the visualizations and the solutions/analyses are always clear.
Sadly, there was a post by the author in June 2019 about being diagnosed with Stage IV cancer [0]. There have been no posts since July 2022. I sincerely hope that's just because Nick doesn't have the time to blog anymore.
61 pins are used by 1/3rd of all people. So statistically, if I steal 61 debit cards, assuming I have 3 tries, and assuming people choose their own pin, I should be able to get cash off one in expectation.
I think the situation for actual PIN codes may be slightly better than suggested; sometimes (in the UK at least) your bank will assign you an initial PIN and I expect many people won’t change it, and by using a dump of passwords, you’ve probably captured some people who have created throwaway accounts and chosen the easiest possible password.
I always like Brian Kernighan's password "/.,/.," [1].
If you're going for a stupid password anyway might as well make is easy to type. "password" is not particularly nice to type; I wonder why "asdf" is not generally more popular.
asdf and qwerty were up there in the top 10 I think. This was just prior to the days of SQL injection and I'm 100% sure you could have erased our entire production DB with a really "strong" password.
Before reaching the bottom of the article, I was wondering about 19xx codes, given that I've heard many people using years, or month/day pairings for garage door codes and such.
I was glad to see those plotted out. I was also initially surprised that not a single 19xx pin made the top 20, but I suppose it makes sense considering that there are 100 different combinations of this code.
If this site did have a field where you could enter a pin to see how common it was, you could make a really targeted phishing attack by sending the link to someone whose pin you want to know, then looking at what they click on or enter ("I'll just see how good my pin is...")
This piece reminds me of the four-digit lockbox that holds the key to get out onto our roof. Great views up there.
I knew that mathematically it would be pretty easy to brute force, and figured I could belt out a thousand combos per day and probably get it done within the week or so. "Well, no time like the present," I thought, "...better get crackin'." ((of knuckles))
Changed the combo to 0000, pulled the handle, and... click! Opened on the first try. :-D
In (game) Rust, the players can use 4 digit keylocks to secure their bases and brute forcing is indeed a strategy. The lock zaps and eventually kills you but even with that, a determined player can eventually get in.
So many silly scenes like this. I want to re-watch Futurama because last time I watched it was as a teenager, so I'm sure I missed many of subtle jokes.
If this analysis is from 2012, I wonder if the results would look much different using data since then? Would any patterns have changed that much? Other than more birth years in 20--, my initial guess would be no.
Just so you can see the bias to early numbers in the distribution:
for i in $(seq 1000000); do
echo $[RANDOM%10000];
done | sort -n | uniq -c | sort -rn | gnuplot -e "set terminal dumb; set xtics 1000; plot '< cat' using 0:1 with boxes"
I think this gnuplot command makes the bias much more obvious (and even better with -persist and "set terminal x11"): gnuplot -e "set terminal dumb; set xtics 100; plot '<cat'"
Compare to the version that discards values over 3e4:
for i in $(seq 1000000); do x=$((RANDOM)); while test $x -gt 30000;do x=$((RANDOM)); done; echo $((x%10000)); done |sort|uniq -c |sort -rn |gnuplot -e "set terminal dumb; set xtics 100; plot '<cat'"
Or the version that uses the 32-bit SRANDOM, which reduces the bias by a factor of 2**17:
for i in $(seq 1000000); do echo $((SRANDOM%10000)); done | sort -n | uniq -c | sort -rn |gnuplot -e "set terminal dumb; set xtics 100; plot '<cat'"
I was disappointed that my typical PIN for low security things like the snack storage closet at work, 2112, isn't there. I figured there would be more Rush fans than there are I guess.
3,5,7 line up on the diagonal, leaving 2 as the only other prime. So people using physical patters are likely to choose them. Not to mention any mathematically inclined person may also choose all primes.
I think the least common PIN codes are fascinating. I'm surprised by the number of 7s in these. They looks like numbers you would end up with if you asked someone to think of a random 4 digit number.
During tax season (in US), for security, you may optionally create a 5 digit pin. I wanted mine to be unaffiliated with any existing pin I have, and chose a 'random' number and wrote it down. A year later I repeated this (and had long since forgotten the previous pin), went to go write it in the same place, and saw that both 'random' numbers had the same first four digits. I now use a computer to choose random numbers because I no longer trust myself to be random.
I know about the identity protection PIN, so I've been assuming this whole time that's what I was choosing a number for. It is possible I was just doing the self selected PIN and wasn't aware that I should be doing something additional for other one. FWIW I haven't needed the PIN later but saved them in case I did.
Most to least common 4-digit PIN numbers from an analysis of 3.4M - https://news.ycombinator.com/item?id=40306374 - (56 points, 18 comments, 5 days ago)